develooper Front page | perl.perl5.porters | Postings from December 2012

Re: security notice: Locale::Maketext

Thread Previous | Thread Next
From:
Dominic Hargreaves
Date:
December 5, 2012 18:51
Subject:
Re: security notice: Locale::Maketext
Message ID:
20121205185119.GR4116@urchin.earth.li
On Wed, Dec 05, 2012 at 10:51:47AM -0500, Ricardo Signes wrote:
> 
> Locale::Maketext is a core l10n library that expands templates found in
> strings.
> 
> Two problems were found, reported, and patched-for by Brian Carlson of cPanel,
> and these fixes are now in blead and on the CPAN.
> 
> The commit in question is
> http://perl5.git.perl.org/perl.git/commit/1735f6f53ca19f99c6e9e39496c486af323ba6a8
> 
> The flaws are:
> 
> * in a [method,x,y,z] template, the method could be a fully-qualified name
> * template expansion did not properly quote metacharacters, allowing
>   code injection through a malicious template
> 
> Please upgrade your Locale::Maketext, especially if you allow user-provided
> templates.

Hi Ricardo,

Thanks for this! I wondered (and the question has arised within the
Debian project) whether anyone might be relying on the previous
behaviour? Have you been able to do any assessment of this?

Cheers,
Dominic.

-- 
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)

Thread Previous | Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About